Posted
by
Unknown Lameron Wednesday August 27, 2014 @12:06AM
from the not-like-prisoners-are-people-anyway dept.

Bruce66423 (1678196) writes The Guardian reports that the UK Information Commissioner has levied a fine of £180,000 on the Ministry of Justice for their failure to encrypt data held on external hard drives at prisons. The fine is nominal — one part of government fining another is rather pointless, but it does show that there's a little bit of accountability. Of course it's interesting to consider the dangers of this hopefully old way of storing backups; but the question of whether we do a lot better now is quite pointed.
To make matters worse, one of the unencrypted backup hard drives walked away.

The identity of 3000 people who have been proven they are prepared to break the law? Or maybe the police reports on the true connection/affiliation of said people? Can't possibly see how that information could of be any use to organised crime...

The US, UK, Canada and many other countries have an old age pension system that are all very easy to exploit if you have the number. Crooks amass multiple numbers and then collect the pensions. The system is very lax and doesn't check whether someone who claims to be 104 years old is really still alive and at least looks like he is 104 for example.

Whenever you hear of some Romanian peasant who reached the ripe old age of 120, it is simply because he adopted the identity of his parent, bur

where do you think all the bond villains get their recruits?
"Hello, Mister Job is it?.... Oh, it's Mister Oddjob? Sorry... I'm calling from Goldfinger Staffing Services. We happened to come upon your resume'..."

This actually happened at a company I worked at corrupt insiders allowed a hit man to track down the parents of a criminal who where then both killed - I believe the insiders got done for conspiracy and are serving a long prison sentence.

The drive walks away one evening, then the next morning it shows up and oh hey it looks like Doctor Death is coming up for release, he's served 999.9 years of his 1000 year sentence, it says so right in this excel spreadsheet, and excel never lies.

There is no such thing as absolutely secure encryption. A good policy is to not have secrets. But secrets are a fact of life. Even then, security through obscurity is often better than off the shelf things.

High-strength industry standard encryption, properly implemented, is currently believed to be completely unbreakable. It's extremely unlikely any government agency can crack modern cryptography, as evidenced by the lengths they go to in order to try to regulate it (historically), or circumvent it at the source. You can't *prove* it's unbreakable, of course, but we've seen zero evidence to the contrary, with many, many people looking, so I won't be hypocritical and say "it's unbreakable", but "for all prac

Step 1. Procedurally generate a wall of text that is incoherent but is syntactically valid, vaguely related to the general topic, and is filled with irrelevant personal opinion, bemused speculation, and random misconceptions.

Step 2: Embed data to be secured in the middle of said text.

Step 3: Back up the data to the cloud (aka "troll Slashdot with your post")

They particularly don't like having to explain to their superiors that the budget is down £180k because they failed to follow compulsory data privacy protection regulations, and that the fines will continue to recur until they implement appropriate security.

outsource IT makes stuff like this more likely and can leave tech people in a place where they can't do stuff needed to make it work and or need to disable it to be able to get work done as some outside vendor picked something that does not work that well.

I like how he/she automatically assumes private business doesn't have incompetent can't-be-fired-because-they're-the-boss'-son-in-law idiots working for them that make the average civil servant look like Albert Einstein..

Answered too fast sadly. Besides the possibility of having idiots far more expensive outsourced from the private sector, the fact is that public sector often gets assigned second or third rate consultants because the best ones are assigned to private sector customers.

Outsourcing is the main problem with modern British government, you stupid fuck. Profit motive means doing the MINIMUM work for the MAXIMUM personal gain - it is the very opposite of what you need in a prison system, where pretty much none of the humans are informed, rational, voluntary actors.

And changing providers every few years just to suit your stupid ideology eliminates the efficiency of experience.

There is almost no British government function that has been improved by outsourcing, and IT projects ar

You just have to realize that whoever wrote that "rather pointless" line is committing a fallacy.You know... by not grasping things like separation of branches of government or things like internal control or even the idea that THE LAWS STILL APPLY.

He probably thinks that prison terms for government officials, be they politicians, soldiers, police or bureaucrats working in some office somewhere are equally pointless.After all, they are all government employees, just like the judges who would sentence t

They have a tendency to walk away in Britain...being in a prison maybe someone hid it away in a dark place, who knows. Pity they havent invented yet backup servers...Who are providing the IT services? The felons?

I think encryption is the key here. Doesn't matter so much where you store it as how encrypted it is. However, if you put it onto a device that can fit very easily into someone's pocket, then you'd better make damn sure that it's encrypted.

I can attest that the British MoJ is a Gilliamesque farce. It was as if an overzealous technocrat saw 'Brazil' and rebuilt the Civil Service in its image.I was an temp admin-monkey for 6 months after things went to shit in 2008/9, in what we called the 'Ministry of Paperwork'. The HR offices for the MoJ. Holders of 60k+ complete records of everyone who ever applied to work in the UK courts. Right up to the top judges and bigwigs.

At this point we were using WinNT on boxes with XP CoAs and paying meeeelions

I can picture a scenario that if they were encrypted, the recovery key would be lost, or the person holding it would die or resign or quit and suddenly all the backups are unrecoverable. You can say ok, so the key should be kept somewhere secure, but where? When you answer that question, then why not put the actual backups there? It's not like you could have just one key forever either. That would be insecure to never change it. But to change it means having some filing system to keep the whole list of them from years and years back and storing them so people can find them. Then how are you going to encrypt THAT?

There are plenty of solutions to this problem that only marginally reduce security. For example, keep copies of the encryption keys on index cards in a safe at the Ministry of Justice head office. An attacker would need both the backup hard drive and the key, and they are now in separate, secure locations.

As for why not move the backups off-site too - it sounds like that is the long-term plan, and this is just the stop-gap for prisons that haven't moved over to it yet.

No. It's not illegal, or even remotely so,
In many business situations, it's pretty close to mandatory. For the rest of us, encryption has caught on because of dodgy newspapers and Nigerian street markets.

In a lecture, a couple of years ago, I was asked what the best way of removing data from old drives. My answer was "a 10 year old with a lump hammer". Once that has been done with gusto, no spook or criminal News International employee will get much out of your stuff!

" The fine is nominal — one part of government fining another is rather pointless, but it does show that there's a little bit of accountability"
in the voice of Sir Humphrey Appleby.No minister it is not pointless at all. You get to show that their is some accountability at no cost to the government in monetary terms. The error will be shown to be a problem with a contractor that is following his original contract instead of the new updated rules so no one in the civil service will be held responsible and in the end nothing really will change and we can get on with the business of running the government.

This is just another example of the way the UK government and Civil Service, as institutions, do not understand IT. Down at the bitface, there may well be some very competent IT people - but their voices do not reach up to the levels that have control. The people who actually make the decisions, both politicians and civil servants, have no gut fel for IT. The assume that if you had over enough money to a plausible contractor, you will get something that works. The contractors, of course, are building someth

I don't believe fining it the correct punishment. I mean go ahead fine me, its not my money anyways. I really think that was travesty of justice the person in charge should be suspended or fired. One government office fining another is a slap in the face of the taxpayer who pay the fine.